Use of isogenies for design of cryptosystems

ABSTRACT

Techniques are disclosed to provide public-key encryption systems. More particularly, isogenies of Abelian varieties (e.g., elliptic curves in one-dimensional cases) are utilized to provide public-key encryption systems. For example, the isogenies permit the use of multiple curves instead of a single curve to provide more secure encryption. The techniques may be applied to digital signatures and/or identity based encryption (IBE) solutions. Furthermore, the isogenies may be used in other applications such as blind signatures, hierarchical systems, and the like. Additionally, solutions are disclosed for generating the isogenies.

RELATED APPLICATION

The present application claims priority from the U.S. provisional patentapplication number 60/517,142, filed Nov. 3, 2003, entitled “Use ofIsogenies for Design of Cryptosystems,” the disclosure of which isincorporated herein by reference.

TECHNICAL FIELD

The present invention generally relates to cryptology, and moreparticularly, to utilization of isogenies for design of cryptosystems.

BACKGROUND

As digital communication becomes more commonplace, the need for securingthe associated communication channels becomes increasingly moreimportant. For example, current technologies allow a user to remotelyaccess bank accounts, medical data, and other private and sensitiveinformation.

Cryptology has been widely used to provide secure digital communication.Cryptology generally relates to the enciphering (or encrypting) anddeciphering (decrypting) of messages. The encryption and decryption usessome secret information (such as a key). In different encryptionmethods, a single key or multiple keys may be used for encryption anddecryption.

One commonly used multiple key cryptosystem is a public-key encryptionsystem. In a public-key system, a sender wishing to send an encryptedmessage to a recipient obtains an authenticated public key for therecipient that is generated using a private key. As the name implies,the public key can be available from public sources. Moreover, to avoidan impersonation attack, the public key is often authenticated. Thepublic-key authentication may be made by a technique such as exchangingkeys over a trusted channel, using a trusted public file, using anon-line trusted server, or using an off-line server and certificates.

After obtaining the authenticated public key, the sender encrypts anoriginal message with the public key and generates a ciphertext. Theintended recipient then utilizes the private key to decrypt theciphertext to extract the original message. Decrypting the ciphertextwithout access to the private key is believed to be infeasible.Accordingly, only a party that has access to the private key maysuccessfully decrypt the ciphertext.

One significant advantage of public-key systems over symmetriccryptosystems (such as stream or block ciphers) is that in two-partycommunications, only the private key needs to be kept secret (whereas insymmetric cryptosystems, the key is kept secret at both ends).

A current public-key encryption system utilizes certain elliptic curves(ECs) over a finite field. A pair of published values derived from anelliptic curve is utilized as a public key (including points on thecurve and their corresponding public key which is generated by a simplemultiplication (i.e., integer multiplication) on the curve).Verification is done using a bilinear pairing on the curve.

Generally, elliptic curves are believed to provide encryption systemswith relatively lower communication requirements than traditionalsystems such as RSA (Rivest, Shamir, and Adleman public key encryptiontechnology), while maintaining similar security levels.

An issue with the current public-key encryption systems is that none hasbeen proven to be secure. As a result, the security of currentpublic-key encryption systems is presumed based on the difficulty of aset of number-theoretic problems.

Accordingly, public-key encryption systems are desired which provideadditional security.

SUMMARY

Techniques are disclosed to provide public-key encryption systems. Moreparticularly, isogenies of Abelian varieties (e.g., elliptic curves inone-dimensional cases) are utilized to provide public-key encryptionsystems. For example, the isogenies permit the use of multiple curvesinstead of a single curve to provide more secure encryption. Thetechniques may be applied to digital signatures and/or identity basedencryption (IBE) solutions. Furthermore, isogenies may be used in otherapplications such as blind signatures, hierarchical systems, and thelike. Additionally, solutions are disclosed for generating theisogenies.

In one described implementation, a method includes publishing a publickey corresponding to an isogeny. The method further includes decryptingan encrypted message using a decryption key which corresponds to theisogeny (e.g., is its dual isogeny).

BRIEF DESCRIPTION OF THE DRAWINGS

The detailed description is described with reference to the accompanyingfigures. In the figures, the left-most digit(s) of a reference numberidentifies the figure in which the reference number first appears. Theuse of the same reference numbers in different figures indicates similaror identical items.

FIG. 1 illustrates an exemplary method for using isogenies in acryptosystem.

FIG. 2 illustrates an exemplary map of an isogeny between two curves.

FIG. 3 illustrates an exemplary method for signing a message usingisogenies.

FIG. 4 illustrates an exemplary map of an isogeny between multiplecurves.

FIG. 5 illustrates an exemplary method for identity based encryption(IBE) using isogenies.

FIG. 6 illustrates a general computer environment 600, which can be usedto implement the techniques described herein.

DETAILED DESCRIPTION

The following discussion assumes that the reader is familiar withcryptography techniques. For a basic introduction of cryptography, thereader is directed to a text written by A. Menezes, P. van Oorschot, andS. Vanstone entitled, “Handbook of Applied Cryptography,” fifth printing(August 2001), published by CRC Press.

The following disclosure describes techniques for improving public-keysystems that are based on multiple elliptic curves (or Abelian varietiesin general). Various techniques are disclosed for generating isogenies(or mappings) between the curves. The generated isogenies permit use ofmultiple curves instead of single curve to provide public encryption.Furthermore, the techniques may be applied to relatively short digitalsignatures (e.g., typed in by a user or sent over a low-bandwidthchannel) and/or identity based encryption (IBE) solutions (e.g.,allowing memorizable public keys). The short signatures may also provideadditional efficiency through aggregate verification.

Overview of Cryptosystems with Isogenies

FIG. 1 illustrates an exemplary method 100 for using isogenies in acryptosystem. A stage 102 generates isogenies (of elliptic curves, ormore generally Abelian varieties). The isogenies may be generated by areceiving party or another party (such as a trusted party furtherdiscussed with reference to FIG. 5). The stage 102 may also generate thecorresponding dual isogeny for each of the generated isogenies (as willbe further discussed below). Various methods for generating isogeniesare detailed below under the same title. Additionally, as will befurther detailed with reference to FIGS. 3 and 5, the generatedisogenies are utilized to provide public keys and the public keys arepublished (104). The public keys may be published by the sending partyor a trusted authority (see, e.g., discussion of FIGS. 3 and 5).

A sending party then encrypts (or signs) messages using an encryptionkey (106). The encrypted messages of the stage 106 may beverified/decrypted by the receiving party using a decryption key todetermine the authenticity of the encryption or signing (108). In oneimplementation, Weil pairing is utilized to verify the encryptedmessages (such as discussed below under the same title). However, Weilpairing is but one example of pairing that may be utilized for theverification or decryption. For example, other bilinear and/ornon-degenerate pairing techniques may be utilized such as Tate pairingand square pairing.

Overview of Isogenies

FIG. 2 illustrates an exemplary map of an isogeny 200 between two curves(e.g., elliptic curves). As illustrated, a curve E₁ may be mapped onto acurve E₂ by an isogeny φ (where φ: E₁→E₂). FIG. 1 also illustrates thedual isogeny {circumflex over (φ)} (where φ: E₂→E₁).

In various implementations, using isogenies in cryptosystems isenvisioned to provide properties such as: given a curve E₁, generating apair (φ,E₂) is relatively efficient, where φ: E₁→E₂ is an isogeny, butgiven a pair (E₁, E₂) of isogenous curves, it is believed to berelatively hard to construct any nonzero isogeny φ: E₁→E₂, much less aspecific isogeny. Therefore, if a distinction is drawn between a globalbreak (defined as a computation allowing any subsequent message to bebroken in polynomial time) and a per-instance break, then the best knownattacks at this time against isogeny based cryptosystems take eithersubstantially more time than discrete log for a global break or else onediscrete log computation per message for the “naive” per-instanceattack.

For example, considering a token system where each client is given aspecific signed message that grants access to some service (which may beof low value), the client may have to read the token over the phone to arepresentative, and thus the signatures can be relatively short. It willbe reasonable to use parameters that are sufficiently large to make aper message attack more costly than the service provided, while keepinga global break prohibitively expensive.

Details of Isogenies

A field k can be fixed with characteristic p with q elements and havingan algebraic closure {overscore (k)}. Let Elk be an elliptic curvedefined over a field k and E(k) be the group defined over k, and letk(E) denote the function field of the elliptic curve. Also, let[n]_(E)or [n] denote the map P

n·P on E and E[n] denote the kernel of this map.

An isogeny φ: E₁→E₂ is a non-constant morphism that sends the identityelement of E₁ to that of E₂. When such an isogeny exists, one may saythat E₁ and E₂ are isogenous. The isogeny is defined over k if φ hasdefining equations with coefficients in k. Any isogeny also turns out tobe group homomorphism, i.e., φ(P+Q)=φ(P)+φ(Q) for all P,Q ε E₁, wherethe addition on the left hand side is the group law on E₁ and theaddition on the right hand side is that of E2. Hence the kernel of φ isa subgroup of E₁.

Let Hom_(k)(E₁,E₂) denote the set of isogenies from E₁ to E₂ that aredefined over k. Hom{overscore (k)}(E₁,E₂) is denoted by Hom(E₁,E₂). Forany isogeny φ: E₁→E₂, there is a dual isogeny {circumflex over (φ)}:E₂→E₁ such that:{circumflex over (φ)}∘φ=[n]_(E) ₁ andφ∘{circumflex over (φ)}=[n]_(E) ₂,where n=deg(φ) is the degree of the isogeny. The dual isogeny satisfiesthe standard properties:${\hat{\hat{\phi}} = \phi},{\hat{\phi + \psi} = {\hat{\phi} + \hat{\psi}}},{\hat{\phi \circ \psi} = {\hat{\psi} \circ \hat{\phi}}},{\hat{\lbrack n\rbrack} = {\lbrack n\rbrack.}}$

In an implementation, the degree of φ as a finite map can be furtherdefined as: the degree of the extension of k(E₁) over the pullback (byφ) of the field k(E₂) where φ is defined over k. It may be convenient tothink of it in terms of the size of its kernel (assuming the functionfield extension is separable) or by the equation above. Hence, it issaid that the isogeny is B -smooth if its degree is B-smooth (i.e. theprime divisors of deg(φ) are less than or equal to B ). The set Hom(E,E)of endomorphisms of an elliptic curve E is denoted End(E); this set hasthe structure of a ring given by defining:(φ+ψ)(P)=φ(P)+ψ(P),(φ∘ψ)(P)=φ(ψ(P)).

Generally, the group Hom(E₁,E₂) is a torsion free left End(E₂)-moduleand right End(E₁)-module. When E₁=E₂=E, the algebraic structure isricher: Hom(E₁,E₂)=End(E) is a ring (not just a module) with no zerodivisors and has characteristic zero.

In one implementation, this can be thought of as a lattice: Let E be anelliptic curve defined over some field k. Then, End(E) is isomorphic toeither Z, an order in a quadratic imaginary field, or a maximal order inquaternion algebra. For any two elliptic curves E_(1,)E₂, the groupHom(E₁,E₂) is a free Z-module of rank at most 4. When End(E) is largerthan Z, one says that E has complex multiplication. The element inEnd(E) corresponding to the Frobenius endomorphism (x,y)

(x^(p),y^(p)) is denoted by π, and it satisfies the characteristicequation x²−tr(E)x+q=0. The conductor of the elliptic curve c is[End(E): Z[π]].

Weil Pairing

The Weil pairing e_(n): E[n]×E[n]→μ_(n) is a bilinear, non-degeneratemap with values in the group of n^(th) roots of unity in k. In oneimplementation, Weil pairing is utilized to perform theverification/decryption stage 108 of FIG. 1. However, Weil pairing isbut one example of pairing that may be utilized for the verification ordecryption. For example, other bilinear and/or non-degenerate pairingtechniques may be utilized such as Tate pairing and square pairing. TheWeil pairing satisfies the following property:e _(n)(S,{circumflex over (φ)}(T))=e _(n)(φ(S),(T), where S ε E ₁ [n],Tε E ₂ [n]

Here, e_(n) (S,{circumflex over (φ)}(T)) is a pairing computation on E₁while e_(n)(φ(S),T) is on E₂. Note that both curves have n-torsionpoints, which puts a constraint on their group orders. This does notpose a problem, since by a theorem of Tate, E₁(k) and E₂(k) areisogenous over k if and only if the two groups of points have the sameorder.

The Weil pairing evaluates the identity for all pairs of inputs whichare linearly dependent. Consequently, a mechanism would be beneficial toensure that the input points are not scalar multiples of each other. Oneapproach is to use a curve E₂ defined over a finite field k which islarge enough that the full group E₂[n]≅(Z/nZ)² of n-torsion points isdefined over k. In this situation, the probability that two randomelements of the group E₂[n] are linearly dependent is negligible, on theorder of 1/n, so the value of the Weil pairing can be nontrivial withhigh probability. The equation above ensures that the distribution ofpairing values on E₁ will match that of E₂.

Alternatively, a modified pairing function {tilde over(e)}(P,Q)=e_(n)(λ(P),Q) may be used where λ is any non-scalarendomorphism, so that P and λ(P) are linearly independent and {tildeover (e)}(P, P)≠1. Such a map λ is called a distortion or twist of E.

Generation of Isogenies

In various implementations, a number of methods can be used to constructisogenies of high degree (e.g., of elliptic curves, or more generallyAbelian varieties) and their duals such as discussed with reference tothe stage 102 of FIG. 1. The short digital signature and IBEcryptosystems discussed herein may follow the convention that pairs ofvalues (P,φ(P)) are published as the public key, while evaluation of thedual {circumflex over (φ)} constitutes the private key.

In one implementation, the constructions can be summarized as: given anyE, there is an algorithm for constructing isogenies E→E whose degree nis randomly distributed, and is a prime with probability ˜1/log(n);given any curve E₁, there is an algorithm for constructing randomB-smooth isogenies from E₁ to random targets in time O(B³); and givenE₁,E₂ and two linearly independent isogenies in Hom_(k)(E₁,E₂) that haverelatively prime degree, there is an algorithm to construct isogenies ofprime degree (see, e.g., the discussion below with respect toindependent isogenies).

Complex Multiplication Isogenies

Let E₁=E₁ as before and assume that E₁ has complex multiplication (CM)by the imaginary quadratic order O_(D) of discriminant D<0. Aprobabilistic algorithm may be described for producing such a curve E₁together with an endomorphism φ of E₁ of large prime degree, in expectedtime polynomial in |D|.

1. Compute the Hilbert class polynomial H_(D)(X) of discriminant D. LetK denote the splitting field of H_(D)(X) over Q.

2. Choose any root x of H_(D)(X) and construct an elliptic curve E overC having j-invariant equal to x. Note that E is defined over the numberfield K.

3. By construction, the curve E has complex multiplication by {squareroot}{square root over (D)}. Using linear algebra on q-expansions, findexplicitly the rational function I(X,Y) with coefficients in Kcorresponding to the isogeny {square root}{square root over (D)} ε EndE.

4. Choose random integers a and b until a²−-b²D is prime. Then, theisogeny a+b{square root}{square root over (D)} will be an endomorphismof E having prime degree.

5. Choose any prime ideal P of K and reduce the coefficients of E and ofI modulo P. Let E, denote the reduction of E and let φ be the reductionof a+b{square root}{square root over (D)}.

Stages 1-3 of the algorithm are deterministic and polynomial time in|D|. As for stage 4, the prime number theorem for number fields impliesthat a²−b²D has probability 1/log(a²−−b²D) of being prime, so forintegers a and b of size n one can expect stage 4 to terminate afterlog(Dn²) trials.

The resulting endomorphism φ is an endomorphism of E₁ of prime degree.Both φ and its dual {circumflex over (φ)}=a−b{square root}{square rootover (D)} can be evaluated by having knowledge of a and b, using onlythe rational function I(X,Y) along with scalar multiplication andaddition. Such an isogeny φ may be called a CM-isogeny.

Modular Isogenies

For any prime l, the modular curve X₀(l) parameterizes isomorphismclasses of isogenies E₁→E₂ of degree l. More specifically, there existsa polynomial equation Φ_(l)(X,Y) for X₀(l) with the property that E₁ andE₂ are l-isogenous if and only if Φ_(l)(j(E₁),j(E₂))=0.

Using the polynomial Φ_(l)(X,Y), one can compute for any E₁ ant-isogenous curve E₂ together with an explicit polynomial equation forthe degree l isogeny E₁→E₂. Because the modular polynomial is symmetricin X and Y computation with the j-invariants reversed can be used tofind the dual isogeny.

In practice, one may not use the polynomials Φ_(l)(X,Y) for actualcomputations because the coefficients of these polynomials are ratherlarge. Instead, different but equivalent polynomial models may be usedfor X₀(l) having smaller coefficients. Regardless of the precise modelused for the computation, an isogeny derived in this way may be referredto as a modular isogeny.

The currently known algorithms for computing modular isogenies aregenerally feasible for small values of l. By itself, the use of modularisogenies of small degree does not add much security, because anattacker who knows the curves E₁ and E₂ could check for each l whetherthe curves are l-isogenous and recover the l-isogeny in the case thatthey are. However, one can compose many modular isogenies (e.g., fordifferent choices of l) into one isogeny φ of large smooth degree Πl,and use φ as an isogeny without revealing the intermediate curves. Anattacker who has the ability to evaluate φ on arbitrary points may stilldeduce the primes l by computing all the l-torsion points of E₁ andseeing whether any of them are annihilated by φ. However, under theassumption that the dual isogeny computation problem is hard, theattacker will not be able to evaluate φon points of his choosing. Forgood measure, one can also compose the resulting isogeny either withscalar isogenies or with CM isogenies in order to introduce largenon-smooth factors into the degree in an implementation.

Linearly Independent Isogenies

In an implementation, the linearly independent isogenies φ and ψ aregiven from E₁ to E₂ of relatively prime degree. As a result, the linearcombination aφ+bψ has a degree given by the quadratic form a²{circumflexover (φ)}φ+ab({circumflex over (φ)}ψ+{circumflex over(ψ)}φ)+b²{circumflex over (ψ)}ψ in the two variables a and b. Note thatthe coefficients of this quadratic form are integers, since the outercoefficients are the degrees of φ and ψ and the middle term is equal todeg(φ+ψ)−deg(φ)−deg(ψ). Since the quadratic form is primitive, itattains prime values infinitely often as a and b vary over all pairs(a,b) ε Z². In this way, many isogenies E₁→E₂ of large non-smooth (oreven prime) degree may be obtained. The probability that the resultingdegree will be non-smooth may also be estimated.

Short Signature Schemes Using Isogenies

In an implementation, the techniques discussed herein may be applied torelatively short signature schemes (e.g., typed in by a user or sentover a low-bandwidth channel). Two signature schemes will be discussedbelow which are partly based on mathematical properties of isogenies andpairings on elliptic curves.

Galois Invariant Signatures

Let F_(q) _(n) /F_(q) be an extension of finite fields of degree n. Takean elliptic curve E₁ defined over F_(q) together with an isogeny φ:E₁→E₂ defined over F_(q) _(n) , where E₂ is an elliptic curve definedover F_(q) _(n) . In one implementation, the curve E₂ is defined over Lrather than over a subfield of L, but it is possible to take E₂ definedover only a subfield. However, for security reasons, the isogeny φ maynot be defined over any proper subfield of F_(q) _(n) . Moreover, theisogeny φ may be generated in accordance with various techniques such asthose discussed above.

FIG. 3 illustrates an exemplary method 300 for signing a message usingisogenies. The method 300 includes the following stages:

Public Key. Pick random P ε E₁(F_(q)) and publish (P,Q) (302), whereQ=φ(P). Note that P is defined over F_(q) but Q is not defined overF_(q), because φ is not.

Secret Key. The dual isogeny {circumflex over (φ)} of φ.

Signature. Let H be a (public) random oracle from the message space tothe set of k-torsion points on E₂. Given a message m, compute$S = {\sum\limits_{i = 0}^{n - 1}\quad{\pi^{i}\hat{\phi}\quad{H(m)}}}$(stage 304, which provides a signature using the secret/private keygenerated as discussed above), where π is the q^(th) power Frobenius mapand the sum denotes the elliptic curve sum on E₁. For convenience, wedenote the operator $\sum\limits_{i = 0}^{n - 1}\quad\pi^{i}$by Tr (which stands for “trace”). Output S ε E₁(F_(q)) as the signature.The signature is then sent to and received by a receiving party (306 and308, respectively). Note that the Galois group of F_(q) _(n) /F_(q) is{1,π, . . . , π^(n-1)}, so S is Galois invariant and thus is definedover F_(q).

Verification. Let e₁ and e₂ denote the Weil pairings on E₁[k] and E₂[k],respectively. Given a public key (P,Q) and a message-signature pair(m,S), check whether${e_{1}\left( {P,S} \right)} = {\prod\limits_{i = 0}^{n - 1}\quad{\pi^{i}{e_{2}\left( {Q,{H(m)}} \right)}}}$(stage 310, which verifies the received signature using the public keygenerated as discussed above). Accordingly, a valid signature satisfiesthis equation, as follows: $\begin{matrix}{{e_{1}\left( {P,S} \right)} = {e_{1}\left( {P,{{\sum\limits_{i = 0}^{n - 1}\quad{\pi^{i}\hat{\phi}\quad{H(m)}}} = {\prod\limits_{i = 0}^{n - 1}\quad{e_{1}\left( {P,{\pi^{i}\hat{\phi}\quad{H(m)}}} \right)}}}} \right.}} \\{= {{\prod\limits_{i = 0}^{n - 1}\quad{e_{1}\left( {{\pi^{i}P},{\pi^{i}\hat{\phi\quad}{H(m)}}} \right)}} = {\prod\limits_{i = 0}^{n - 1}\quad{\pi^{i}{e_{1}\left( {P,{\hat{\phi}\quad{H(m)}}} \right)}}}}} \\{= {{\prod\limits_{i = 0}^{n - 1}\quad{\pi^{i}{e_{2}\left( {{\phi(P)},{H(m)}} \right)}}} = {\prod\limits_{i = 0}^{n - 1}\quad{\pi^{i}{{e_{2}\left( {Q,{H(m)}} \right)}.}}}}}\end{matrix}$

Also, the trace map may be used down to a base field to shorten pointson an elliptic curve (or more generally on any Abelian variety). Inother words, the output of a trace map on elliptic curves (or higherdimensional Abelian varieties) may be utilized as a method forshortening the representation of a point over an extension field byusing data on the lower field.

Signing with Multiple Elliptic Curves

Another way to enhance the strength of short signature schemes is to usemultiple public keys and add up the resulting signatures. Thismodification can be used by itself or combined with the Galois invariantenhancement discussed above.

With reference to FIG. 4, we assume there is a family of isogeniesφ_(i): E→E_(i) and a family of random oracle hash functions H_(i) eachmapping a message m into a point on the elliptic curve E_(i). Similar tothe stages discussed with reference to FIG. 3:

Public key. Pick random P ε E and publish P,Q₁,Q₂, . . . , Q_(n) (see,e.g., 302), where Q_(i)=φ_(i)(P).

Secret key. The family of isogenies φ_(i).

Signature. For each message m, the signature of m (S) is$\sum\limits_{i = 1}^{n}{{\hat{\quad\phi}}_{i}\left( {H_{i}(m)} \right)}$(see, e.g., 304). The signed message is then sent to a receiving party(see, e.g., 306).

Verification. Given a (message, signature) pair (m, S), check whether${e\left( {P,S} \right)} = {\prod\limits_{i = 1}^{n}\quad{e\left( {Q_{i},{H_{i}(m)}} \right)}}$(see, e.g., stage 310 discussed with reference to FIG. 3). For a validsignature this equation holds since:${e\left( {P,S} \right)} = {{e\left( {P,{\sum\limits_{i = 1}^{n}\quad{{\hat{\phi}}_{i}\left( {H_{i}(m)} \right)}}} \right)} = {{\prod\limits_{i = 1}^{n}\quad{e\left( {P,{{\hat{\phi}}_{i}\left( {H_{i}(m)} \right)}} \right)}} = {\prod\limits_{i = 1}^{n}\quad{{e\left( {Q_{i},{H_{i}(m)}} \right)}.}}}}$

The system is believed to be at least as secure as using just a singleisogeny, since anybody who can break the multiple isogenies version canconvert the single isogeny version to the multiple isogenies version byadding in isogenies φ₂, . . . , φ_(n) as determined by them. Moreover,for such a system, any successful attack on the multiple isogeniesversion requires a simultaneous break of all of the single isogenies φ₁through φ_(n).

Identity Based Encryption (IBE) Scheme with Isogenies

FIG. 5 illustrates an exemplary method 500 for identity based encryption(IBE) using isogenies. The one-way isogeny between the elliptic curvesis believed to make an identity based encryption (IBE) schemepotentially secure against computational Diffie-Hellman (CDH). The IBEscheme may be defined as follows.

MAP TO POINT: Define the operation ID

P ε E for some curve E. More specifically, one may compute H(id) and useit to define a point. It may be assumed that H behaves like a randomoracle. Alternately, we may keep a table of points and hash ID into arandom string of weights and then take a weighted sum. We may alsoassume that there is a trusted authority and a finite set of users, eachwith some ID from which one can compute the corresponding public key.Each user gets his private key after suitable identification by thetrusted authority.

Public Key for the Trusted Authority: α ε E₁, β=φ(α). Accordingly, atrusted authority (or another entity such as a receiving party) providesand publishes public keys (502). If a twist λ is being used, we may thatα=λ(a) is the twisted image of some point a.

Private Key for the Trusted Authority. An efficiently computable{circumflex over (φ)}.

For example, encrypted data from Bob to Alice can be implemented asfollows:

Public Key for Alice: T ε E₂ is provided, e.g., via the map-to-pointfunction ID

T (502) by a trusted authority (or another entity such as a receivingparty).

Private Key for Alice: S={circumflex over (φ)}(T). Note that attackingto get a private key quickly for each client would take time similar tothe one for global break in the signature system (discussed above). As aresult, these systems may also be referred to as two-tier systems.

Encryption by Bob. Compute ALICE

T (stage 504, which encrypts a message with the generated public key).Let the message be m. Pick a random integer r. Send to Alice the pair(506):[m ⊕ H(e(β,rT)),rα]

Decryption by Alice. Let the cipher text be [c,T]. The encrypted messagesent is decrypted (508) using a private key (510) provided by a trustedauthority (or another entity such as a receiving party) after suitableidentification. As a result, the clear text is:c ⊕ H(e(rα,S))

This works because the quantity being hashed in the encryption stage is:e(β,rT)=e(φ(α),rT)=e(α, {circumflex over (φ)}(rT))= e(α, r{circumflexover (φ)}(T))=e(α, rS)=e(rα, S),

which is equal to the quantity being hashed in the decryption stage. Anisogeny may be represented as discussed below (e.g., to use aprobabilistic approach involving a table of entries).

Specifying an Isogeny

If the isogeny is smooth, it may be represented as a composition ofsmall degree isogenies given by a straight-line program representingpolynomial computations. For curves over extensions of interest, a smalltable of input-output pairs suffices in an implementation.

Taking End(E)=End_({overscore (k)})(E), finite extensions of k may beconsidered and the extension may be specified as appropriate. In oneimplementation, an isogeny is specified by its action on the group ofpoints over some finite extension of the ground field. Note that twoisogenies may coincide up to some extensions, but may be distinct in alarger field. Accordingly, it suffices to specify φ on a set ofgenerators S. Generally, the group is cyclic, or as above |S|=2. It isconsidered not easy to find the generators, but one can choose Srandomly.

More particularly, as an Abelian group E(k) (recall: k is a finite fieldof q elements) is isomorphic to Z/mZ×Z/nZ, where mn=#E(k), n|m and inaddition n|D,D=(mn,q −1). One can compute mn=#E(k) using Schoof'salgorithm and if the factorization of D is known, n can be obtainedusing a randomized polynomial time algorithm. If {tilde over (P)} and{tilde over (Q)} are of order n and m respectively such that any pointcan be written as a{tilde over (P)}+b{tilde over (Q)}, they are calledgenerators in echelon form and an $O\left( q^{\frac{1}{2} + ɛ} \right)$algorithm may be used for constructing them.

Turning to random choices (Erdos-Renyi), let G be a finite Abelian groupand g₁, . . . , g_(k) be random elements of G. There exists a smallconstant c, such that its subset sums are almost uniformly distributedover G, if k≧c·log|G|. In particular, the g_(i) may generate G. Toreduce the table size, one can use its strengthening weighted subsetsums rather than subset sums when the group order is a prime. Thisextends to arbitrary orders with some small loss of parameters.

Moreover, the structure of E(k) may be used to obtain more detailedinformation. One can pick random points P_(i),i≦2 and write them asP_(i)=a_(i) {tilde over (P)}+b_(i){tilde over (Q)}. More particularly,one can express each of the echelon generators by linear combinations ofP_(i) if the matrix $\quad\begin{bmatrix}a_{1} & a_{2} \\b_{1} & b_{2}\end{bmatrix}$is invertible mod m (note that n|m). When this happens, {P_(i)} willgenerate the group. Note that the probability (both P₁ and P₂) falls inthe group generated by {tilde over (P)} is m⁻². Similarly, theprobability for the group generated by {tilde over (Q)} is n⁻². Thus,either of these two events do not happen with probability(1−m⁻²)(1−n⁻²)=1+(#E)⁻²−(m⁻²+n⁻²).

Hardware Implementation

FIG. 6 illustrates a general computer environment 600, which can be usedto implement the techniques described herein. For example, the computerenvironment 600 may be utilized to execute instructions associated withperforming the tasks discussed with reference to the previous figures.Furthermore, each entity discussed herein (e.g., with respect to FIGS.1, 3, and 5 such as the trusted party, receiving party, and/or sendingparty) may each have access to a general computer environment.

The computer environment 600 is only one example of a computingenvironment and is not intended to suggest any limitation as to thescope of use or functionality of the computer and network architectures.Neither should the computer environment 600 be interpreted as having anydependency or requirement relating to any one or combination ofcomponents illustrated in the exemplary computer environment 600.

Computer environment 600 includes a general-purpose computing device inthe form of a computer 602. The components of computer 602 can include,but are not limited to, one or more processors or processing units 604(optionally including a cryptographic processor or co-processor), asystem memory 606, and a system bus 608 that couples various systemcomponents including the processor 604 to the system memory 606.

The system bus 608 represents one or more of any of several types of busstructures, including a memory bus or memory controller, a peripheralbus, an accelerated graphics port, and a processor or local bus usingany of a variety of bus architectures. By way of example, sucharchitectures can include an Industry Standard Architecture (ISA) bus, aMicro Channel Architecture (MCA) bus, an Enhanced ISA (EISA) bus, aVideo Electronics Standards Association (VESA) local bus, and aPeripheral Component Interconnects (PCI) bus also known as a Mezzaninebus.

Computer 602 typically includes a variety of computer-readable media.Such media can be any available media that is accessible by computer 602and includes both volatile and non-volatile media, removable andnon-removable media.

The system memory 606 includes computer-readable media in the form ofvolatile memory, such as random access memory (RAM) 610, and/ornon-volatile memory, such as read only memory (ROM) 612. A basicinput/output system (BIOS) 614, containing the basic routines that helpto transfer information between elements within computer 602, such asduring start-up, is stored in ROM 612. RAM 610 typically contains dataand/or program modules that are immediately accessible to and/orpresently operated on by the processing unit 604.

Computer 602 may also include other removable/non-removable,volatile/non-volatile computer storage media. By way of example, FIG. 6illustrates a hard disk drive 616 for reading from and writing to anon-removable, non-volatile magnetic media (not shown), a magnetic diskdrive 618 for reading from and writing to a removable, non-volatilemagnetic disk 620 (e.g., a “floppy disk”), and an optical disk drive 622for reading from and/or writing to a removable, non-volatile opticaldisk 624 such as a CD-ROM, DVD-ROM, or other optical media. The harddisk drive 616, magnetic disk drive 618, and optical disk drive 622 areeach connected to the system bus 608 by one or more data mediainterfaces 626. Alternatively, the hard disk drive 616, magnetic diskdrive 618, and optical disk drive 622 can be connected to the system bus608 by one or more interfaces (not shown).

The disk drives and their associated computer-readable media providenon-volatile storage of computer-readable instructions, data structures,program modules, and other data for computer 602. Although the exampleillustrates a hard disk 616, a removable magnetic disk 620, and aremovable optical disk 624, it is to be appreciated that other types ofcomputer-readable media which can store data that is accessible by acomputer, such as magnetic cassettes or other magnetic storage devices,flash memory cards, CD-ROM, digital versatile disks (DVD) or otheroptical storage, random access memories (RAM), read only memories (ROM),electrically erasable programmable read-only memory (EEPROM), and thelike, can also be utilized to implement the exemplary computing systemand environment.

Any number of program modules can be stored on the hard disk 616,magnetic disk 620, optical disk 624, ROM 612, and/or RAM 610, includingby way of example, an operating system 626, one or more applicationprograms 628, other program modules 630, and program data 632. Each ofsuch operating system 626, one or more application programs 628, otherprogram modules 630, and program data 632 (or some combination thereof)may implement all or part of the resident components that support thedistributed file system.

A user can enter commands and information into computer 602 via inputdevices such as a keyboard 634 and a pointing device 636 (e.g., a“mouse”). Other input devices 638 (not shown specifically) may include amicrophone, joystick, game pad, satellite dish, serial port, scanner,and/or the like. These and other input devices are connected to theprocessing unit 604 via input/output interfaces 640 that are coupled tothe system bus 608, but may be connected by other interface and busstructures, such as a parallel port, game port, or a universal serialbus (USB).

A monitor 642 or other type of display device can also be connected tothe system bus 608 via an interface, such as a video adapter 644. Inaddition to the monitor 642, other output peripheral devices can includecomponents such as speakers (not shown) and a printer 646 which can beconnected to computer 602 via the input/output interfaces 640.

Computer 602 can operate in a networked environment using logicalconnections to one or more remote computers, such as a remote computingdevice 648. By way of example, the remote computing device 648 can be apersonal computer, portable computer, a server, a router, a networkcomputer, a peer device or other common network node, game console, andthe like. The remote computing device 648 is illustrated as a portablecomputer that can include many or all of the elements and featuresdescribed herein relative to computer 602.

Logical connections between computer 602 and the remote computer 648 aredepicted as a local area network (LAN) 650 and a general wide areanetwork (WAN) 652. Such networking environments are commonplace inoffices, enterprise-wide computer networks, intranets, and the Internet.

When implemented in a LAN networking environment, the computer 602 isconnected to a local network 650 via a network interface or adapter 654.When implemented in a WAN networking environment, the computer 602typically includes a modem 656 or other means for establishingcommunications over the wide network 652. The modem 656, which can beinternal or external to computer 602, can be connected to the system bus608 via the input/output interfaces 640 or other appropriate mechanisms.It is to be appreciated that the illustrated network connections areexemplary and that other means of establishing communication link(s)between the computers 602 and 648 can be employed.

In a networked environment, such as that illustrated with computingenvironment 600, program modules depicted relative to the computer 602,or portions thereof, may be stored in a remote memory storage device. Byway of example, remote application programs 658 reside on a memorydevice of remote computer 648. For purposes of illustration, applicationprograms and other executable program components such as the operatingsystem are illustrated herein as discrete blocks, although it isrecognized that such programs and components reside at various times indifferent storage components of the computing device 602, and areexecuted by the data processor(s) of the computer.

Various modules and techniques may be described herein in the generalcontext of computer-executable instructions, such as program modules,executed by one or more computers or other devices. Generally, programmodules include routines, programs, objects, components, datastructures, etc. that perform particular tasks or implement particularabstract data types. Typically, the functionality of the program modulesmay be combined or distributed as desired in various implementations.

An implementation of these modules and techniques may be stored on ortransmitted across some form of computer-readable media.Computer-readable media can be any available media that can be accessedby a computer. By way of example, and not limitation, computer-readablemedia may comprise “computer storage media” and “communications media.”

“Computer storage media” includes volatile and non-volatile, removableand non-removable media implemented in any method or technology forstorage of information such as computer-readable instructions, datastructures, program modules, or other data. Computer storage mediaincludes, but is not limited to, RAM, ROM, EEPROM, flash memory or othermemory technology, CD-ROM, digital versatile disks (DVD) or otheroptical storage, magnetic cassettes, magnetic tape, magnetic diskstorage or other magnetic storage devices, or any other medium which canbe used to store the desired information and which can be accessed by acomputer.

“Communication media” typically includes computer-readable instructions,data structures, program modules, or other data in a modulated datasignal, such as carrier wave or other transport mechanism. Communicationmedia also includes any information delivery media. The term “modulateddata signal” means a signal that has one or more of its characteristicsset or changed in such a manner as to encode information in the signal.By way of example, and not limitation, communication media includeswired media such as a wired network or direct-wired connection, andwireless media such as acoustic, radio frequency (RF), infrared (IR),wireless fidelity (e.g., IEEE 802.11b wireless networking) (Wi-Fi),cellular, Bluetooth enabled, and other wireless media. Combinations ofany of the above are also included within the scope of computer-readablemedia.

Conclusion

Although the invention has been described in language specific tostructural features and/or methodological acts, it is to be understoodthat the invention defined in the appended claims is not necessarilylimited to the specific features or acts described. Rather, the specificfeatures and acts are disclosed as exemplary forms of implementing theclaimed invention. For example, the elliptic curves discussed herein area one-dimensional case of Abelian varieties. Also, isogenies may be usedin other applications such as blind signatures, hierarchical systems,and the like. As such, the techniques described herein may be applied tohigher dimension Abelian varieties.

1. A method comprising: generating an isogeny that maps a plurality ofpoints from a first elliptic curve onto a second elliptic curve;publishing a public key corresponding to the isogeny; encrypting amessage using a encryption key corresponding to the isogeny; anddecrypting the encrypted message using a decryption key corresponding tothe isogeny.
 2. A method as recited by claim 1, wherein at least one ofthe encryption key or the decryption key is a private key, the privatekey being a dual isogeny of the isogeny.
 3. A method as recited by claim1, wherein the isogeny is generated using a technique selected from agroup comprising complex multiplication generation, modular generation,linearly independent generation, and combinations thereof.
 4. A methodas recited by claim 1, wherein the generating maps a plurality of pointsfrom a first elliptic curve onto a plurality of elliptic curves.
 5. Amethod as recited by claim 1, wherein the decrypting is performed bybilinear pairing.
 6. A method as recited by claim 5, wherein thebilinear pairing is a pairing selected from a group comprising Weilpairing, Tate pairing, and square pairing.
 7. A method as recited byclaim 1, wherein the method is applied using Abelian varieties.
 8. Amethod as recited by claim 1, wherein the method signs the message.
 9. Amethod as recited by claim 1, wherein the method provides identity basedencryption.
 10. A method as recited by claim 1, further comprisingcomposing a plurality of modular isogenies to provide the isogenywithout revealing any intermediate curves.
 11. A method as recited byclaim 1, further comprising using a trace map down to a base field toshorten points on an elliptic curve mapped by the isogeny.
 12. A methodas recited by claim 1, further comprising using a trace map to shortenpoints on an Abelian variety.
 13. A method comprising: publishing apublic key corresponding to an isogeny that maps a plurality of pointsfrom a first elliptic curve onto a second elliptic curve; and decryptingan encrypted message using a decryption key corresponding to theisogeny.
 14. A method as recited by claim 13, wherein the decryption keyis a dual isogeny of the isogeny.
 15. A method as recited by claim 13,wherein the isogeny is generated using a technique selected from a groupcomprising complex multiplication generation, modular generation,linearly independent generation, and combinations thereof.
 16. A methodas recited by claim 13, wherein the isogeny maps a plurality of pointsfrom a first elliptic curve onto a plurality of elliptic curves.
 17. Amethod as recited by claim 13, wherein the decryption is performed bybilinear pairing.
 18. A method as recited by claim 17, wherein thebilinear pairing is a pairing selected from a group comprising Weilpairing, Tate pairing, and square pairing.
 19. A method as recited byclaim 13, wherein the method is applied using Abelian varieties.
 20. Amethod as recited by claim 13, wherein the method signs the message. 21.A method as recited by claim 13, wherein the method provides identitybased encryption.
 22. A method as recited by claim 13, furthercomprising using a trace map down to a base field to shorten points onan elliptic curve mapped by the isogeny.
 23. A system comprising: afirst processor; a first system memory coupled to the first processor,the first system memory storing a public key corresponding to an isogenythat maps a plurality of points from a first elliptic curve onto asecond elliptic curve; a second processor; a second system memorycoupled to the second processor, the second system memory storing anencrypted message and a decryption key corresponding to the isogeny todecrypt the encrypted message, wherein the encrypted message isencrypted using an encryption key.
 24. A system as recited by claim 23,wherein at least one of the encryption key or the decryption key is aprivate key, the private key being a dual isogeny of the isogeny.
 25. Asystem as recited by claim 23, wherein the isogeny maps a plurality ofpoints from a first elliptic curve onto a plurality of elliptic curves.26. A system as recited by claim 23, wherein the decryption is performedby bilinear pairing.
 27. A system as recited by claim 26, wherein thebilinear pairing is a pairing selected from a group comprising Weilpairing, Tate pairing, and square pairing.
 28. One or morecomputer-readable media having instructions stored thereon that, whenexecuted, direct a machine to perform acts comprising: publishing apublic key corresponding to an isogeny that maps a plurality of pointsfrom a first elliptic curve onto a second elliptic curve; and decryptingan encrypted message using a decryption key corresponding to theisogeny.
 29. One or more computer-readable media as recited by claim 28,wherein the decryption key is a private key, the private key being adual isogeny of the isogeny.
 30. One or more computer-readable media asrecited by claim 28, wherein the isogeny is generated using a techniqueselected from a group comprising complex multiplication generation,modular generation, linearly independent generation, and combinationsthereof.
 31. One or more computer-readable media as recited by claim 28,wherein the isogeny maps a plurality of points from a first ellipticcurve onto a plurality of elliptic curves.
 32. One or morecomputer-readable media as recited by claim 28, wherein the decryptingis performed by bilinear pairing.
 33. One or more computer-readablemedia as recited by claim 32, wherein the bilinear pairing is a pairingselected from a group comprising Weil pairing, Tate pairing, and squarepairing.
 34. One or more computer-readable media as recited by claim 28,wherein the acts are applied using Abelian varieties.
 35. One or morecomputer-readable media as recited by claim 28, wherein the acts furthercomprise using a trace map down to a base field to shorten points on anelliptic curve mapped by the isogeny.
 36. One or more computer-readablemedia as recited by claim 28, wherein the acts further comprisecomposing a plurality of modular isogenies to provide the isogenywithout revealing any intermediate curves.
 37. One or morecomputer-readable media as recited by claim 28, wherein the acts furthercomprise using a trace map to shorten points on an Abelian variety. 38.One or more computer-readable media as recited by claim 28, wherein theacts sign the message.
 39. One or more computer-readable media asrecited by claim 28, wherein the acts provide identity based encryption.